Although the risk of using the Web is small, it still
merits some consideration. The basic question that you need to ask is,"
What do I have to lose?" If you use your PC purely for recreation and
don't perform any financial transactions over the Web, then the answer is,
"Not much." However, if you use your PC to store your diary and
sensitive company documents and use the Web to make online purchases, then you
may want to examine your risk more closely.

For users, Web security begins with the browser and, for
most of us, that means a Netscape or Microsoft browser. Netscape Navigator and
Microsoft Internet Explorer provide a number of features that go beyond simple
Web page display. Both browsers support executable content-Java and JavaScript.
In addition to executable content, both browsers support plug-ins (Internet
Explorer supports Navigator plug-ins and ActiveX controls, in addition to its
own), cookies, Secure Sockets Layer (SSL) communication, and digital
certificates. Each of these features has implications for user security, as
described in the following subsections.

Dealing with Executable Content

When most people think of browser vulnerabilities they
think of Java, JavaScript, and ActiveX. For most of us, the thought of opening
a Web page and automatically having a program load and execute on their
computer is a bit frightening. There is a good reason for this fear-it is a
very difficult to allow executable content without leaving yourself wide open
to a Trojan horse attack.

A Trojan horse is a program that appears to provide a
useful function while, in reality, it is attacking your system. The name comes
from the legend of the huge wooden horse that was left as a gift at the gates
of Troy. When the Trojans opened the gates of their city to bring in the horse,
Greek soldiers who had been hiding inside the horse poured out and attacked the
Trojans.

Each of the three major browser-programming technologies
uses a different approach to protecting against Trojan horses:

Java
code executes in the Java Virtual Machine (JVM), which is part of the Java
runtime system. The runtime system is designed to prevent operations that would
violate the browser's security policy.

JavaScript
eliminates Trojan-horse code by not providing objects or methods that could be
used to cause damage or violate the user's privacy.

*ActiveX
components do not provide any inherent protection against damage. Instead,
these components are digitally signed. The signature provides a high degree of
assurance that the component originated from the organization that it claims.

Navigator and Internet Explorer 4 also support signed Java
applets. The signature can be used to determine whether the applet should be
given extra privileges beyond those allowed by the default Navigator security
policy.

Of the three approaches, JavaScript's is the mostly
secure. By not providing a mechanism for creating damage, it is able to prevent
the damage from occurring. But how do we know that no object or method can be
used to cause damage? The answer is extensive analysis and testing. Could
something have been overlooked? Try writing a JavaScript script that could
damage your system.

Java's approach is next best when it comes to security.
The Java runtime system is capable of supporting multiple security policies.
For example, Java programs that are loaded from your hard disk are allowed more
privileges than applets that are loaded over the network. Signed applets are
given more a single tooth indicates that international security (40-bit)
encryption is in use. A solid key with two teeth indicates that domestic
security (12- bit) encryption is in use.

Both international and domestic security uses the Secure
Sockets Layer (551) for encryption. SSI uses public key cryptography to exchange
keys that are used for private key encryption. Digital certificates are used to
verify the identity of the organization with you are communicating.

How strong is the security provided? If no encryption is
used, then you should assume that whatever information you send could be
intercepted.

If international (40-bit) encryption is used, then your
encrypted communication is probably secure from a hacker without many
computational resources, but not from anyone else. This encryption scheme has
already been broken several times.

If domestic (128-bit) encryption is used, then you are
probably secure from most eavesdroppers. However, absolute security cannot be
guaranteed. SSL only protects information while it is in transit. Whatever
information you send is unprotected before it is transmitted by your browser
and after it is received by the server.

Maintaining Privacy

How private is your interaction with the Web? Not very
private. Whenever you request a document from a Web server, your request is
usually logged by that server. The log record doesn't identify you by name, but
it does include your IP address. It you use a static IP address, then you are
positively identified. If you use a dynamic IP address, then the log
information could apply to other users of your Internet service provider.

Both Navigator and Internet Explorer support cookies. When
cookies were first introduced, they were the subjects of some concern. Because
they can be used to maintain information about a user on the user's browser,
cookies were looked at as the instrument of Big Brother. As it turns out,
cookies can be used to maintain information about users-that was their original
intent. It this is a problem? It depends. IF you look at cookies as a way to
improve Web services, then you'll want to keep them. If you look at cookies as
a means to spy on you, then your best is to periodically delete your cookies
files. This will let you use cookies when you need to and will make it
difficult for anyone to maintain consistent information about you. You can also
make your cookie files read-only.